Project

General

Profile

« Previous | Next » 

Revision 17f6c75c

Added by Serghei Mihai almost 10 years ago

ldap and radius manage scripts

View differences:

control
20 20
Architecture: all
21 21
Depends: ${misc:Depends},
22 22
    python-uauth (= ${binary:Version}),
23
    gunicorn, slapd, freeradius-ldap
23
    gunicorn, slapd, freeradius-ldap,
24
    ldapvi
24 25
Recommends: nginx, postgresql
25 26
Description: Captive potail in the Cloud
lib/reset-slapd
1
#!/bin/sh
2
# initial configuration of slapd
3

  
4
set -e
5

  
6
LDIFDIR=/usr/share/u-auth
7
SERVICE="/usr/sbin/service slapd"
8

  
9
echo ""
10
echo "  *************"
11
echo "  *           *   La configuration et toutes les données"
12
echo "  * ATTENTION *   de l'annuaire LDAP vont être définitivement"
13
echo "  *           *   effacées. Avez-vous fait un backup ?"
14
echo "  *************"
15

  
16
echo ""
17
echo "Confirmez la MISE A ZÉRO COMPLÈTE de l'annuaire LDAP."
18
echo ""
19
echo -n "Tapez oui en toutes lettres : "
20
read ok
21
if [ "x$ok" != "xoui" ]; then
22
	exit 3
23
fi
24

  
25
${SERVICE} stop || true
26

  
27

  
28
BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`"
29
mkdir -p "$BACKUPDIR"
30
echo Old configuration saved in $BACKUPDIR
31
cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR"
32

  
33
echo -n "Effacement de la configuration"
34
rm -rf /etc/ldap/slapd.d/*
35
echo -n " et des données .."
36
rm -rf /var/lib/ldap/*
37
echo "ok"
38

  
39
if ! grep "^\s*profile\s\+config\s*$" /etc/ldapvi.conf > /dev/null 2>&1; then
40
        echo "(ajout du 'profile config' dans /etc/ldapvi.conf)"
41
        cat << EOLDAPVI >> /etc/ldapvi.conf
42

  
43
profile config
44
host: ldapi://
45
sasl-mech: EXTERNAL
46
base: cn=config
47

  
48
EOLDAPVI
49
fi
50

  
51

  
52

  
53
mkdir /var/lib/ldap/config-accesslog/
54

  
55
echo "Installation de la nouvelle configuration .. "
56
slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/config.ldif
57
echo "ok"
58

  
59
echo "Installation des schémas .. "
60
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/core.ldif
61
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/cosine.ldif
62
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/inetorgperson.ldif
63
echo "ok"
64

  
65
chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap
66

  
67
if [ ! -s /etc/ldap/ssl/slapd.pem -o ! -s /etc/ldap/ssl/slapd.key ]; then
68
	echo "Pose de certificats SSL par défaut (invalides)"
69
	mkdir -p /etc/ldap/ssl
70
	cp -v ${LDIFDIR}/ssl.pem /etc/ldap/ssl/slapd.pem
71
	cp -v ${LDIFDIR}/ssl.key /etc/ldap/ssl/slapd.key
72
	chown -R root:openldap /etc/ldap/ssl
73
	chmod 0755 /etc/ldap/ssl
74
	chmod 0644 /etc/ldap/ssl/slapd.pem
75
	chmod 0640 /etc/ldap/ssl/slapd.key
76
	echo "ok"
77
fi
78

  
79
${SERVICE} start
80

  
lib/reset-slapd.help
1
mise à zéro complète
2

  
3
Attention, cela efface complétement la configuration et
4
les données actuelles du serveur LDAP (slapd).
lib/setup-radius
1
#!/bin/sh
2
# Do initial configuration of freeradius
3

  
4
set -e
5

  
6
CONF_DIR = '/etc/freeradius'
7
BASEDIR=`dirname $0`
8

  
9
service freeradius stop
10

  
11
cp "$CONF_DIR/sites-available/default" "$CONF_DIR/sites-available/default.backup"
12
cp "$BASEDIR/radius-default.conf" "$CONF_DIR/sites-available/default"
13

  
14
service freeradius start
15

  
16

  
17

  
18

  
lib/setup-radius.help
1
activation et parametrage du module ldap dans radius
lib/setup-slapd
1
#!/bin/sh
2
# Do initial configuration of slapd
3

  
4
set -e
5

  
6
LDIFDIR=/usr/share/u-auth
7

  
8
BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`"
9
mkdir -p "$BACKUPDIR"
10
echo Old configuration saved in $BACKUPDIR
11
cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR"
12
rm -rf /var/lib/ldap/*
13
mkdir /var/lib/ldap/config-accesslog/
14

  
15
echo Load overlay modules, configure auditlog for cn=config
16
slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/radius.ldif
17

  
18
echo "Suffixe de la base à créer (exemple : dc=univ-psl,dc=fr) :"
19
echo -n "-> "
20
read SUFFIX
21
echo
22

  
23
if [ -d "/var/lib/ldap/$SUFFIX" ]; then
24
        echo "ERR: le répertoire '/var/lib/ldap/$SUFFIX' existe déjà" >&2
25
        exit 1
26
fi
27

  
28
if ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config olcSuffix=$SUFFIX 2>/dev/null | grep -q '^result: [1-9]'; then
29
        echo "ERR: le suffixe $SUFFIX existe déjà" >&2
30
        exit 2
31
fi
32

  
33
echo "Choisir un mot de passe administrateur (uid=admin,ou=people,$SUFFIX) :"
34
echo -n "-> "
35
stty -echo
36
read PASSWORD
37
stty echo
38
echo
39
echo "Une nouvelle fois :"
40
echo -n "-> "
41
stty -echo
42
read PASSWORD2
43
stty echo
44
echo
45
if [ x"$PASSWORD" != x"$PASSWORD2" ]; then
46
        echo "ERR: mots de passe différents" >&2
47
        exit 3
48
fi
49
echo
50

  
51
echo "Nom de l'organisation (ou=...) :"
52
echo "uniquement des majuscules, sans accent"
53
echo "Exemple: ENS"
54
echo -n "-> "
55
read ORGANIZATION
56
echo
57

  
58

  
59
echo "Récapitulatif :"
60
echo " Suffixe : $SUFFIX"
61
echo "     Nom : $ORGANIZATION"
62
echo "DN établissement : ou=$ORGANIZATION,$SUFFIX"
63
echo
64
echo "Créer cette base ? (taper oui)"
65
echo -n "-> "
66
read OK
67
echo
68

  
69
if [ "x$OK" != "xoui" ]; then
70
        exit 4
71
fi
72

  
73
DC=`echo $SUFFIX | sed 's/dc=\([^,]*\).*/\1/'`
74

  
75
DBDIR=/var/lib/ldap/$SUFFIX
76
DBACCESSLOGDIR=/var/lib/ldap/$SUFFIX/accesslog/
77

  
78
mkdir -p "$DBDIR" "$DBACCESSLOGDIR"
79

  
80
chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap
81

  
82
LDIF=`tempfile --prefix=newdb --suffix=.ldif`
83
cat << EOF > $LDIF
84
# LDAPVI syntax
85
add olcDatabase={1}mdb,cn=config
86
objectClass: olcDatabaseConfig
87
objectClass: olcMdbConfig
88
olcDatabase: {1}mdb
89
olcSuffix: $SUFFIX
90
olcDbDirectory: /var/lib/ldap/$SUFFIX/
91
olcRootDN: uid=admin,ou=people,$SUFFIX
92
olcRootPW: $PASSWORD
93
olcLastMod: TRUE
94
olcAddContentACL: FALSE
95
olcMonitoring: TRUE
96
olcSyncUseSubentry: FALSE
97
olcMaxDerefDepth: 0
98
olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
99
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
100
olcReadOnly: FALSE
101
# Index
102
olcDbIndex: objectClass,member,owner eq
103
olcDbIndex: mail,givenName,uid,cn,sn,displayName pres,eq,approx,sub
104
# Accès super-utilisateur
105
olcAccess: {0}to *
106
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
107
   by group.exact="cn=admin,ou=groups,$SUFFIX" manage 
108
   by * break
109
# Branche people
110
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword,labeledURI
111
   by self write
112
   by * break
113
# Les accès aux autres attributs utilisateurs
114
olcAccess: {2}to dn.one="ou=people,$SUFFIX"
115
   by users read
116
   by anonymous auth
117
   by * none
118
# Branche groups
119
# Le propriétaire du groupe
120
olcAccess: {3}to dn.one="ou=groups,$SUFFIX" 
121
   by set="this/owner & user" manage 
122
   by * break
123
# Les utilisateurs en général sur les attributs descriptifs
124
olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner
125
   by users read 
126
   by * break
127

  
128
# Create accesslog DIT
129
add olcDatabase={1}mdb,cn=config
130
objectClass: olcDatabaseConfig
131
objectClass: olcMdbConfig
132
olcSuffix: cn=accesslog,$SUFFIX
133
olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/
134
olcAccess: {0}to * 
135
  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
136
  by group=cn=admin,ou=groupes,$SUFFIX manage
137
  by * break
138

  
139
add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
140
objectClass: olcOverlayConfig
141
objectClass: olcSyncProvConfig
142
olcOverlay: {0}syncprov
143
olcSpCheckpoint: 100 10
144
olcSpSessionlog: 100
145

  
146
# Log all writes to the db
147
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
148
objectClass: olcAccesslogConfig
149
objectClass: olcOverlayConfig
150
objectClass: olcConfig
151
objectClass: top
152
olcOverlay: {1}accesslog
153
olcAccessLogDB: cn=accesslog,$SUFFIX
154
olcAccessLogOps: writes
155
# log are conserved one year and purged every day
156
olcAccessLogPurge: 365+00:00 1+00:00
157
# Keep a copy of everything
158
olcAccessLogOld: objectClass=*
159

  
160
add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
161
objectClass: olcOverlayConfig
162
objectClass: olcRefintConfig
163
olcOverlay: {2}refint
164
olcRefintAttribute: member 
165
olcRefintNothing: $SUFFIX
166

  
167
add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config
168
objectClass: olcOverlayConfig
169
objectClass: olcConstraintConfig
170
olcOverlay: {3}constraint
171
# un seul cn pour les utilisateurs
172
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" 
173
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" 
174
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)" 
175
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)" 
176
olcConstraintAttribute: dc regex "^[a-z0-9-]*$" 
177
olcConstraintAttribute: mail count 1
178
olcConstraintAttribute: mail 
179
  regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" 
180
# olcConstraintAttribute: mailForwardingAddress 
181
  regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid
182

  
183
add $SUFFIX
184
objectClass: organization
185
objectClass: dcObject
186
dc: $DC
187
o: $ORGANIZATION
188

  
189
add ou=people,$SUFFIX
190
objectClass: organizationalUnit
191
ou: people
192

  
193
add uid=admin,ou=people,$SUFFIX
194
objectClass: inetOrgPerson
195
uid: admin
196
cn: Administrateur annuaire
197
displayName: Administrateur annuaire
198
givenName: Administrateur
199
sn: annuaire
200
userPassword: $PASSWORD
201

  
202
add ou=$ORGANIZATION,$SUFFIX
203
objectClass: organizationalUnit
204
ou: $ORGANIZATION
205

  
206
EOF
207

  
208

  
209
echo "Chargement de la définition de la nouvelle base annuaire ($LDIF) :"
210
ldapvi --verbose --profile config --ldapmodify --ldapvi --add $LDIF
211
# slapadd -n0 -F/etc/ldap/slapd.d -l${LDIF}
212
echo "OK"
213

  
214
chown -R openldap.openldap /etc/ldap/slapd.d /var/lib/ldap
215

  
216
LDAP_SETUP=`tempfile --prefix=ldap --suffix=.conf`
217
cat << EOF > $LDAP_SETUP
218
ldap {
219
	#
220
	#  Note that this needs to match the name in the LDAP
221
	#  server certificate, if you're using ldaps.
222
	server = "localhost"
223
	identity = "uid=admin,ou=people,$SUFFIX"
224
	password = "$PASSWORD"
225
	basedn = "$ORGANIZATION,$SUFFIX"
226
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
227
	#base_filter = "(objectclass=radiusprofile)"
228

  
229
	ldap_connections_number = 5
230

  
231
	#  How many times the connection can be used before
232
	#  being re-established. This is useful for things
233
	#  like load balancers, which may exhibit sticky
234
	#  behaviour without it. (0) is unlimited.
235
	max_uses = 0
236

  
237
	#  Port to connect on, defaults to 389. Setting this to
238
	#  636 will enable LDAPS if start_tls (see below) is not
239
	#  able to be used.
240
	#port = 389
241

  
242
	# seconds to wait for LDAP query to finish. default: 20
243
	timeout = 4
244

  
245
	#  seconds LDAP server has to process the query (server-side
246
	#  time limit). default: 20
247
	#
248
	#  LDAP_OPT_TIMELIMIT is set to this value.
249
	timelimit = 3
250

  
251
	#
252
	#  seconds to wait for response of the server. (network
253
	#   failures) default: 10
254
	#
255
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
256
	net_timeout = 1
257

  
258
	# Mapping of RADIUS dictionary attributes to LDAP
259
	# directory attributes.
260
	dictionary_mapping = ${confdir}/ldap.attrmap
261

  
262
	#  Un-comment the following to disable Novell
263
	#  eDirectory account policy check and intruder
264
	#  detection. This will work *only if* FreeRADIUS is
265
	#  configured to build with --with-edir option.
266
	#
267
	edir_account_policy_check = no
268

  
269
	#  By default, if the packet contains a User-Password,
270
	#  and no other module is configured to handle the
271
	#  authentication, the LDAP module sets itself to do
272
	#  LDAP bind for authentication.
273
	#
274
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
275
	#
276
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
277
	#
278
	#  You can disable this behavior by setting the following
279
	#  configuration entry to "no".
280
	#
281
	#  allowed values: {no, yes}
282
	# set_auth_type = yes
283

  
284

  
285
	#  Keepalive configuration.  This MAY NOT be supported by your
286
	#  LDAP library.  If these configuration entries appear in the
287
	#  output of "radiusd -X", then they are supported.  Otherwise,
288
	#  they are unsupported, and changing them will do nothing.
289
	#
290
	keepalive {
291
		# LDAP_OPT_X_KEEPALIVE_IDLE
292
		idle = 60
293

  
294
		# LDAP_OPT_X_KEEPALIVE_PROBES
295
		probes = 3
296

  
297
		# LDAP_OPT_X_KEEPALIVE_INTERVAL
298
		interval = 3
299
	}
300
}
301
EOF
302

  
303

  
304
service freeradius stop
305

  
306
cp /etc/freeradius/modules/ldap /etc/freeradius/modules/ldap.backup
307
mv $LDAP_SETUP /etc/freeradius/modules/ldap
308

  
309
service freeradius start
lib/setup-slapd.help
1
création d'une nouvelle base, avec un nouveau suffixe
2

  
3
Paramètrage de freeradius pour la connexion à cette base
lib/u-auth
1
#!/bin/sh
2

  
3
ME=`basename $0`
4
COMMANDDIR=`dirname $0`/lib
5
test -d ${COMMANDDIR} || COMMANDDIR=/usr/lib/`basename $0`
6

  
7
help() {
8
        msg="$1"
9
        test -n "$msg" && echo $msg
10
        echo "syntaxe: $ME commande ..."
11
        echo ""
12
        echo "commandes disponibles:"
13
                echo "  help            cette aide"
14
        for fcom in $COMMANDDIR/*.help
15
        do
16
                com=`basename $fcom .help`
17
                descr=`head -1 $fcom`
18
                echo "  "$com"          "$descr
19
        done
20
        test -n "$msg" && exit 1
21
        exit 0
22
}
23

  
24
helpcmd() {
25
        command=$1
26
        xcommand=$COMMANDDIR/$command
27
        test -x $xcommand || help "ERR: commande inconnue ($command)"
28
        echo "$ME $command"
29
        cat $xcommand.help
30
}
31

  
32
command=$1
33
test -z $command && help "ERR: commande manquante"
34
shift
35

  
36
case $command in
37
        help)
38
                test -z "$1" && help
39
                helpcmd $1
40
                ;;
41
        *)
42
                xcommand=$COMMANDDIR/$command
43
                test -x $xcommand || help "ERR: commande inconnue ($command)"
44
                $xcommand "$@"
45
                ;;
46
esac
schema/radius.ldif
1
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
2
# CRC32 283edc8d
3
# Put this file to /etc/ldap/schema/ and then execute the following 
4
# comand to add this schema:
5
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/radius.ldif
6
dn: cn=radius,cn=schema,cn=config
7
objectClass: olcSchemaConfig
8
cn: radius
9
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' D
10
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
11
 GLE-VALUE )
12
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' D
13
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
14
 GLE-VALUE )
15
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess'
16
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
17
 INGLE-VALUE )
18
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC
19
  'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
20
 .115.121.1.26 SINGLE-VALUE )
21
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DES
22
 C 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
23
 466.115.121.1.26 SINGLE-VALUE )
24
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber'
25
  DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
26
 .1.4.1.1466.115.121.1.26 SINGLE-VALUE )
27
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId
28
 ' DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.
29
 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
30
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI
31
 d' DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 
32
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
33
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC 're
34
 plyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
35
 .1.26 )
36
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres
37
 s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
38
  SINGLE-VALUE )
39
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC
40
  'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
41
 .115.121.1.26 )
42
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTa
43
 lkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match
44
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
45
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTa
46
 lkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA
47
 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
48
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTa
49
 lkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match
50
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
51
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompres
52
 sion' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNT
53
 AX 1.3.6.1.4.1.1466.115.121.1.26 )
54
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddre
55
 ss' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX 
56
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
57
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetma
58
 sk' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX 
59
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
60
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetw
61
 ork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreIA5Match SYNTA
62
 X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
63
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE
64
 SC 'replyItem: Framed-MTU' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
65
 466.115.121.1.26 SINGLE-VALUE )
66
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco
67
 l' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreIA5Match SYNTAX 1.3
68
 .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
69
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' 
70
 DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
71
 .1.1466.115.121.1.26 )
72
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting
73
 ' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
74
 .1.4.1.1466.115.121.1.26 SINGLE-VALUE )
75
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE
76
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
77
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC ''
78
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
79
 LUE )
80
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName
81
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
82
 )
83
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' 
84
 DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
85
 .1.1466.115.121.1.26 SINGLE-VALUE )
86
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' 
87
 DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.
88
 4.1.1466.115.121.1.26 )
89
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup
90
 ' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.
91
 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
92
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode'
93
  DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
94
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
95
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort'
96
  DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
97
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
98
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATServi
99
 ce' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreIA5Match SYNTAX 
100
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
101
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService'
102
  DESC 'replyItem: Login-Service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1
103
 .4.1.1466.115.121.1.26 SINGLE-VALUE )
104
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort'
105
  DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
106
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
107
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry
108
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
109
 SINGLE-VALUE )
110
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE
111
 SC 'replyItem: Port-Limit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
112
 466.115.121.1.26 SINGLE-VALUE )
113
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE
114
 SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
115
 SINGLE-VALUE )
116
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC 
117
 '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
118
 VALUE )
119
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm'
120
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
121
 INGLE-VALUE )
122
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe
123
 alm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
124
 26 SINGLE-VALUE )
125
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '
126
 ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
127
 ALUE )
128
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' 
129
 DESC 'replyItem: Service-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
130
 .1.1466.115.121.1.26 SINGLE-VALUE )
131
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou
132
 t' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3
133
 .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
134
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAc
135
 tion' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreIA5Match SYNT
136
 AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
137
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignm
138
 entId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
139
 1.26 )
140
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumT
141
 ype' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
142
 26 )
143
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPasswor
144
 d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
145
  SINGLE-VALUE )
146
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPrefere
147
 nce' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
148
 26 )
149
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivate
150
 GroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
151
 1.1.26 )
152
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE
153
 ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
154
 1.1.26 )
155
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D
156
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
157
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' 
158
 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
159
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE
160
 ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
161
 1.1.26 )
162
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousU
163
 se' DESC 'checkItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
164
  SINGLE-VALUE )
165
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DE
166
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
167
 LE-VALUE )
168
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory'
169
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
170
 INGLE-VALUE )
171
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName
172
 ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
173
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC 
174
 '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
175
 VALUE )
176
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D
177
 ESC 'checkItem: Expiration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.
178
 1466.115.121.1.26 SINGLE-VALUE )
179
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE
180
 SC 'checkItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14
181
 66.115.121.1.26 )
182
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE
183
 SC 'replyItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14
184
 66.115.121.1.26 )
185
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress'
186
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
187
 INGLE-VALUE )
188
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage'
189
  DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1
190
 .4.1.1466.115.121.1.26 )
191
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC ''
192
  SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ 
193
 radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu
194
 mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu
195
 sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame
196
 dAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ r
197
 adiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ rad
198
 iusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ r
199
 adiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupNam
200
 e $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGr
201
 oup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ rad
202
 iusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetr
203
 y $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ rad
204
 iusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStri
205
 pUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusPr
206
 ofileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMe
207
 diumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPriv
208
 ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate
209
 gory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ r
210
 adiusReplyMessage ) )
211
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' D
212
 ESC 'A Container Objectclass to be used for creating radius profile object'
213
  SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) )
214

  
share/config.ldif
1
dn: cn=config
2
objectClass: olcGlobal
3
cn: config
4
olcArgsFile: /var/run/slapd/slapd.args
5
olcPidFile: /var/run/slapd/slapd.pid
6
olcToolThreads: 1
7
olcLogLevel: none
8
olcServerId: 1
9

  
10
dn: cn=module{0},cn=config
11
objectClass: olcModuleList
12
cn: module{0}
13
olcModulePath: /usr/lib/ldap
14
olcModuleLoad: {0}back_hdb
15
olcModuleLoad: {1}back_monitor
16
olcModuleLoad: {2}back_mdb
17
olcModuleLoad: {3}accesslog
18
olcModuleLoad: {4}unique
19
olcModuleLoad: {5}refint
20
olcModuleLoad: {6}constraint
21
olcModuleLoad: {7}syncprov
22

  
23
dn: cn=schema,cn=config
24
objectClass: olcSchemaConfig
25
cn: schema
26

  
27
dn: olcDatabase={-1}frontend,cn=config
28
objectClass: olcDatabaseConfig
29
objectClass: olcFrontendConfig
30
olcDatabase: {-1}frontend
31
olcAccess: {0}to *
32
   by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
33
   by * break
34
olcAccess: {1}to dn.exact="" by * read
35
olcAccess: {2}to dn.base="cn=Subschema" by * read
36
olcSizeLimit: 500
37

  
38
dn: olcDatabase={0}config,cn=config
39
objectClass: olcDatabaseConfig
40
olcDatabase: {0}config
41
olcAccess: {0}to *
42
   by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
43
   by * break
44
olcRootDN: cn=admin,cn=config
45

  
46
dn: olcDatabase={1}mdb,cn=config
47
objectClass: olcDatabaseConfig
48
objectClass: olcMdbConfig
49
olcSuffix: cn=config-accesslog
50
olcDbDirectory: /var/lib/ldap/config-accesslog/
51
# Allow reading accesslog only by root
52
olcAccess: {0}to * 
53
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
54
   by * break
55

  
56
dn: olcDatabase={1}monitor,cn=config
57
objectClass: olcDatabaseConfig
58
objectClass: olcMonitorConfig
59
olcDatabase: {1}monitor
60
# Allow reading monitoring only by root
61
olcAccess: {0}to * 
62
   by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
63
   by * break
64

  
65
# Log all writes to the configuration
66
dn: olcOverlay={0}accesslog,olcDatabase={0}config,cn=config
67
objectClass: olcAccesslogConfig
68
objectClass: olcOverlayConfig
69
objectClass: olcConfig
70
objectClass: top
71
olcOverlay: {0}accesslog
72
olcAccessLogDB: cn=config-accesslog
73
olcAccessLogOps: writes
74
# log are conserved one year and purged every day
75
olcAccessLogPurge: 365+00:00 1+00:00
76
olcAccessLogOld: objectClass=olcConfig
share/radius-default.conf
1
#  Authorization. First preprocess (hints and huntgroups files),
2
#  then realms, and finally look in the "users" file.
3
#
4
#  Any changes made here should also be made to the "inner-tunnel"
5
#  virtual server.
6
#
7
#  The order of the realm modules will determine the order that
8
#  we try to find a matching realm.
9
#
10
#  Make *sure* that 'preprocess' comes before any realm if you 
11
#  need to setup hints for the remote radius server
12
authorize {
13

  
14
	#
15
	#  Security settings.  Take a User-Name, and do some simple
16
	#  checks on it, for spaces and other invalid characters.  If
17
	#  it looks like the user is trying to play games, reject it.
18
	#
19
	#  This should probably be enabled by default.
20
	#
21
	#  See policy.conf for the definition of the filter_username policy.
22
	#
23
#	filter_username
24

  
25
	#
26
	#  The preprocess module takes care of sanitizing some bizarre
27
	#  attributes in the request, and turning them into attributes
28
	#  which are more standard.
29
	#
30
	#  It takes care of processing the 'raddb/hints' and the
31
	#  'raddb/huntgroups' files.
32
	preprocess
33

  
34
	#
35
	#  If you want to have a log of authentication requests,
36
	#  un-comment the following line, and the 'detail auth_log'
37
	#  section, above.
38
	auth_log
39

  
40
	ldap
41

  
42
	#
43
	#  The chap module will set 'Auth-Type := CHAP' if we are
44
	#  handling a CHAP request and Auth-Type has not already been set
45
	chap
46

  
47
	#
48
	#  If the users are logging in with an MS-CHAP-Challenge
49
	#  attribute for authentication, the mschap module will find
50
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
51
	#  to the request, which will cause the server to then use
52
	#  the mschap module for authentication.
53
	mschap
54

  
55
	#
56
	#  If you have a Cisco SIP server authenticating against
57
	#  FreeRADIUS, uncomment the following line, and the 'digest'
58
	#  line in the 'authenticate' section.
59
	digest
60

  
61
	#
62
	#  The WiMAX specification says that the Calling-Station-Id
63
	#  is 6 octets of the MAC.  This definition conflicts with
64
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
65
	#  the "wimax" module here means that it will fix the
66
	#  Calling-Station-Id attribute to the normal format as
67
	#  specified in RFC 3580 Section 3.21
68
#	wimax
69

  
70
	#
71
	#  Look for IPASS style 'realm/', and if not found, look for
72
	#  '@realm', and decide whether or not to proxy, based on
73
	#  that.
74
#	IPASS
75

  
76
	#
77
	#  If you are using multiple kinds of realms, you probably
78
	#  want to set "ignore_null = yes" for all of them.
79
	#  Otherwise, when the first style of realm doesn't match,
80
	#  the other styles won't be checked.
81
	#
82
	suffix
83
#	ntdomain
84

  
85
	#
86
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
87
	#  authentication.
88
	#
89
	#  It also sets the EAP-Type attribute in the request
90
	#  attribute list to the EAP type from the packet.
91
	#
92
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
93
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
94
	#  this change is compatible with older configurations.
95
	#
96
	#  The example below uses module failover to avoid querying all
97
	#  of the following modules if the EAP module returns "ok".
98
	#  Therefore, your LDAP and/or SQL servers will not be queried
99
	#  for the many packets that go back and forth to set up TTLS
100
	#  or PEAP.  The load on those servers will therefore be reduced.
101
	#
102
	eap {
103
		ok = return
104
	}
105

  
106
	#
107
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
108
	#  using the system API's to get the password.  If you want
109
	#  to read /etc/passwd or /etc/shadow directly, see the
110
	#  passwd module in radiusd.conf.
111
	#
112
#	unix
113

  
114
	#
115
	#  Read the 'users' file
116
#	files
117

  
118
	#
119
	#  Look in an SQL database.  The schema of the database
120
	#  is meant to mirror the "users" file.
121
	#
122
	#  See "Authorization Queries" in sql.conf
123
#	sql
124

  
125
	#
126
	#  If you are using /etc/smbpasswd, and are also doing
127
	#  mschap authentication, the un-comment this line, and
128
	#  configure the 'smbpasswd' module.
129
#	smbpasswd
130

  
131
        exec
132
	#
133
	#  The ldap module will set Auth-Type to LDAP if it has not
134
	#  already been set
135

  
136
	#
137
	#  Enforce daily limits on time spent logged in.
138
#	daily
139

  
140
	#
141
	# Use the checkval module
142
#	checkval
143

  
144
	expiration
145
	logintime
146

  
147
	#
148
	#  If no other module has claimed responsibility for
149
	#  authentication, then try to use PAP.  This allows the
150
	#  other modules listed above to add a "known good" password
151
	#  to the request, and to do nothing else.  The PAP module
152
	#  will then see that password, and use it to do PAP
153
	#  authentication.
154
	#
155
	#  This module should be listed last, so that the other modules
156
	#  get a chance to set Auth-Type for themselves.
157
	#
158
	pap
159

  
160
	#
161
	#  If "status_server = yes", then Status-Server messages are passed
162
	#  through the following section, and ONLY the following section.
163
	#  This permits you to do DB queries, for example.  If the modules
164
	#  listed here return "fail", then NO response is sent.
165
	#
166
#	Autz-Type Status-Server {
167
#
168
#	}
169
}
170

  
171

  
172
#  Authentication.
173
#
174
#
175
#  This section lists which modules are available for authentication.
176
#  Note that it does NOT mean 'try each module in order'.  It means
177
#  that a module from the 'authorize' section adds a configuration
178
#  attribute 'Auth-Type := FOO'.  That authentication type is then
179
#  used to pick the apropriate module from the list below.
180
#
181

  
182
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
183
#  will figure it out on its own, and will do the right thing.  The
184
#  most common side effect of erroneously setting the Auth-Type
185
#  attribute is that one authentication method will work, but the
186
#  others will not.
187
#
188
#  The common reasons to set the Auth-Type attribute by hand
189
#  is to either forcibly reject the user (Auth-Type := Reject),
190
#  or to or forcibly accept the user (Auth-Type := Accept).
191
#
192
#  Note that Auth-Type := Accept will NOT work with EAP.
193
#
194
#  Please do not put "unlang" configurations into the "authenticate"
195
#  section.  Put them in the "post-auth" section instead.  That's what
196
#  the post-auth section is for.
197
#
198
authenticate {
199
	#
200
	#  PAP authentication, when a back-end database listed
201
	#  in the 'authorize' section supplies a password.  The
202
	#  password can be clear-text, or encrypted.
203
	Auth-Type PAP {
204
		pap
205
	}
206

  
207
	#
208
	#  Most people want CHAP authentication
209
	#  A back-end database listed in the 'authorize' section
210
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
211
	#  won't work.
212
	Auth-Type CHAP {
213
		chap
214
	}
215

  
216
	#
217
	#  MSCHAP authentication.
218
	Auth-Type MS-CHAP {
219
		mschap
220
	}
221

  
222
	#
223
	#  If you have a Cisco SIP server authenticating against
224
	#  FreeRADIUS, uncomment the following line, and the 'digest'
225
	#  line in the 'authorize' section.
226
	digest
227

  
228
	#
229
	#  Pluggable Authentication Modules.
230
#	pam
231

  
232
	#
233
	#  See 'man getpwent' for information on how the 'unix'
234
	#  module checks the users password.  Note that packets
235
	#  containing CHAP-Password attributes CANNOT be authenticated
236
	#  against /etc/passwd!  See the FAQ for details.
237
	#
238
	#  For normal "crypt" authentication, the "pap" module should
239
	#  be used instead of the "unix" module.  The "unix" module should
240
	#  be used for authentication ONLY for compatibility with legacy
241
	#  FreeRADIUS configurations.
242
	#
243
	unix
244

  
245
	# Uncomment it if you want to use ldap for authentication
246
	#
247
	# Note that this means "check plain-text password against
248
	# the ldap database", which means that EAP won't work,
249
	# as it does not supply a plain-text password.
250
	Auth-Type LDAP {
251
		ldap
252
	}
253

  
254
	#
255
	#  Allow EAP authentication.
256
	eap
257

  
258
	#
259
	#  The older configurations sent a number of attributes in
260
	#  Access-Challenge packets, which wasn't strictly correct.
261
	#  If you want to filter out these attributes, uncomment
262
	#  the following lines.
263
	#
264
#	Auth-Type eap {
265
#		eap {
266
#			handled = 1  
267
#		}
268
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
269
#			attr_filter.access_challenge.post-auth
270
#			handled  # override the "updated" code from attr_filter
271
#		}
272
#	}
273
}
274

  
275

  
276
#
277
#  Pre-accounting.  Decide which accounting type to use.
278
#
279
preacct {
280
	preprocess
281

  
282
	#
283
	#  Session start times are *implied* in RADIUS.
284
	#  The NAS never sends a "start time".  Instead, it sends
285
	#  a start packet, *possibly* with an Acct-Delay-Time.
286
	#  The server is supposed to conclude that the start time
287
	#  was "Acct-Delay-Time" seconds in the past.
288
	#
289
	#  The code below creates an explicit start time, which can
290
	#  then be used in other modules.
291
	#
292
	#  The start time is: NOW - delay - session_length
293
	#
294

  
295
#	  update request {
296
#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
297
#	}
298

  
299

  
300
	#
301
	#  Ensure that we have a semi-unique identifier for every
302
	#  request, and many NAS boxes are broken.
303
	acct_unique
304

  
305
	#
306
	#  Look for IPASS-style 'realm/', and if not found, look for
307
	#  '@realm', and decide whether or not to proxy, based on
308
	#  that.
309
	#
310
	#  Accounting requests are generally proxied to the same
311
	#  home server as authentication requests.
312
#	IPASS
313
	suffix
314
#	ntdomain
315

  
316
	#
317
	#  Read the 'acct_users' file
318
	files
319
}
320

  
321
#
322
#  Accounting.  Log the accounting data.
323
#
324
accounting {
325
	#
326
	#  Create a 'detail'ed log of the packets.
327
	#  Note that accounting requests which are proxied
328
	#  are also logged in the detail file.
329
	detail
330
#	daily
331

  
332
	#  Update the wtmp file
333
	#
334
	#  If you don't use "radlast", you can delete this line.
335
#	unix
336

  
337
	#
338
	#  For Simultaneous-Use tracking.
339
	#
340
	#  Due to packet losses in the network, the data here
341
	#  may be incorrect.  There is little we can do about it.
342
#	radutmp
343
#	sradutmp
344

  
345
	#  Return an address to the IP Pool when we see a stop record.
346
#	main_pool
347

  
348
	#
349
	#  Log traffic to an SQL database.
350
	#
351
	#  See "Accounting queries" in sql.conf
352
#	sql
353

  
354
	#
355
	#  If you receive stop packets with zero session length,
356
	#  they will NOT be logged in the database.  The SQL module
357
	#  will print a message (only in debugging mode), and will
358
	#  return "noop".
359
	#
360
	#  You can ignore these packets by uncommenting the following
361
	#  three lines.  Otherwise, the server will not respond to the
362
	#  accounting request, and the NAS will retransmit.
363
	#
364
#	if (noop) {
365
#		ok
366
#	}
367

  
368
	#
369
	#  Instead of sending the query to the SQL server,
370
	#  write it into a log file.
371
	#
372
#	sql_log
373

  
374
	#  Cisco VoIP specific bulk accounting
375
#	pgsql-voip
376

  
377
	# For Exec-Program and Exec-Program-Wait
378
	exec
379

  
380
	#  Filter attributes from the accounting response.
381
	attr_filter.accounting_response
382

  
383
	#
384
	#  See "Autz-Type Status-Server" for how this works.
385
	#
386
#	Acct-Type Status-Server {
387
#
388
#	}
389
}
390

  
391

  
392
#  Session database, used for checking Simultaneous-Use. Either the radutmp 
393
#  or rlm_sql module can handle this.
394
#  The rlm_sql module is *much* faster
395
session {
396
	radutmp
397

  
398
	#
399
	#  See "Simultaneous Use Checking Queries" in sql.conf
400
#	sql
401
}
402

  
403

  
404
#  Post-Authentication
405
#  Once we KNOW that the user has been authenticated, there are
406
#  additional steps we can take.
407
post-auth {
408
	#  Get an address from the IP Pool.
409
#	main_pool
410

  
411
	#
412
	#  If you want to have a log of authentication replies,
413
	#  un-comment the following line, and the 'detail reply_log'
414
	#  section, above.
415
#	reply_log
416

  
417
	#
418
	#  After authenticating the user, do another SQL query.
419
	#
420
	#  See "Authentication Logging Queries" in sql.conf
421
#	sql
422

  
423
	#
424
	#  Instead of sending the query to the SQL server,
425
	#  write it into a log file.
426
	#
427
#	sql_log
428

  
429
	#
430
	#  Un-comment the following if you have set
431
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
432
	#  the 'modules' section.
433
	#
434
#	ldap
435

  
436
	# For Exec-Program and Exec-Program-Wait
437
	exec
438

  
439
	#
440
	#  Calculate the various WiMAX keys.  In order for this to work,
441
	#  you will need to define the WiMAX NAI, usually via
442
	#
443
	#	update request {
444
	#	       WiMAX-MN-NAI = "%{User-Name}"
445
	#	}
446
	#
447
	#  If you want various keys to be calculated, you will need to
448
	#  update the reply with "template" values.  The module will see
449
	#  this, and replace the template values with the correct ones
450
	#  taken from the cryptographic calculations.  e.g.
451
	#
452
	# 	update reply {
453
	#		WiMAX-FA-RK-Key = 0x00
454
	#		WiMAX-MSK = "%{EAP-MSK}"
455
	#	}
456
	#
457
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
458
	#  as some WiMAX clients behave badly when those attributes
459
	#  are included.  See "raddb/modules/wimax", configuration
460
	#  entry "delete_mppe_keys" for more information.
461
	#
462
#	wimax
463

  
464
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
465
	#  and TTLS), then some attributes are filled out after the
466
	#  certificate verification has been performed.  These fields
467
	#  MAY be available during the authentication, or they may be
468
	#  available only in the "post-auth" section.
469
	#
470
	#  The first set of attributes contains information about the
471
	#  issuing certificate which is being used.  The second
472
	#  contains information about the client certificate (if
473
	#  available).
474
#
475
#	update reply {
476
#	       Reply-Message += "%{TLS-Cert-Serial}"
477
#	       Reply-Message += "%{TLS-Cert-Expiration}"
478
#	       Reply-Message += "%{TLS-Cert-Subject}"
479
#	       Reply-Message += "%{TLS-Cert-Issuer}"
480
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
481
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
482
#
483
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
484
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
485
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
486
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
487
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
488
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
489
#	}
490

  
491
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
492
	#  want to send it for all EAP sessions.  Therefore, the EAP
493
	#  modules put required data into the EAP-Session-Id attribute.
494
	#  This attribute is never put into a request or reply packet.
495
	#
496
	#  Uncomment the next few lines to copy the required data into
497
	#  the EAP-Key-Name attribute
498
#	if (reply:EAP-Session-Id) {
499
#		update reply {
500
#			EAP-Key-Name := "%{reply:EAP-Session-Id}"
501
#		}
502
#	}
503

  
504
	#  If the WiMAX module did it's work, you may want to do more
505
	#  things here, like delete the MS-MPPE-*-Key attributes.
506
	#
507
	#	if (updated) {
508
	#		update reply {
509
	#			MS-MPPE-Recv-Key !* 0x00
510
	#			MS-MPPE-Send-Key !* 0x00
511
	#		}
512
	#	}
513

  
514
	#
515
	#  Access-Reject packets are sent through the REJECT sub-section of the
516
	#  post-auth section.
517
	#
518
	#  Add the ldap module name (or instance) if you have set 
519
	#  'edir_account_policy_check = yes' in the ldap module configuration
520
	#
521
	Post-Auth-Type REJECT {
522
		# log failed authentications in SQL, too.
523
#		sql
524
		attr_filter.access_reject
525
	}
526
}
527

  
528
#
529
#  When the server decides to proxy a request to a home server,
530
#  the proxied request is first passed through the pre-proxy
531
#  stage.  This stage can re-write the request, or decide to
532
#  cancel the proxy.
533
#
534
#  Only a few modules currently have this method.
535
#
536
pre-proxy {
537
#	attr_rewrite
538

  
539
	#  Uncomment the following line if you want to change attributes
540
	#  as defined in the preproxy_users file.
541
#	files
542

  
543
	#  Uncomment the following line if you want to filter requests
544
	#  sent to remote servers based on the rules defined in the
545
	#  'attrs.pre-proxy' file.
546
#	attr_filter.pre-proxy
547

  
548
	#  If you want to have a log of packets proxied to a home
549
	#  server, un-comment the following line, and the
550
	#  'detail pre_proxy_log' section, above.
551
#	pre_proxy_log
552
}
553

  
554
#
555
#  When the server receives a reply to a request it proxied
556
#  to a home server, the request may be massaged here, in the
557
#  post-proxy stage.
558
#
559
post-proxy {
560

  
561
	#  If you want to have a log of replies from a home server,
562
	#  un-comment the following line, and the 'detail post_proxy_log'
563
	#  section, above.
564
#	post_proxy_log
565

  
566
#	attr_rewrite
567

  
568
	#  Uncomment the following line if you want to filter replies from
569
	#  remote proxies based on the rules defined in the 'attrs' file.
570
#	attr_filter.post-proxy
571

  
572
	#
573
	#  If you are proxying LEAP, you MUST configure the EAP
574
	#  module, and you MUST list it here, in the post-proxy
575
	#  stage.
576
	#
577
	#  You MUST also use the 'nostrip' option in the 'realm'
578
	#  configuration.  Otherwise, the User-Name attribute
579
	#  in the proxied request will not match the user name
580
	#  hidden inside of the EAP packet, and the end server will
581
	#  reject the EAP request.
582
	#
583
	eap
584

  
585
	#
586
	#  If the server tries to proxy a request and fails, then the
587
	#  request is processed through the modules in this section.
588
	#
589
	#  The main use of this section is to permit robust proxying
590
	#  of accounting packets.  The server can be configured to
591
	#  proxy accounting packets as part of normal processing.
592
	#  Then, if the home server goes down, accounting packets can
593
	#  be logged to a local "detail" file, for processing with
594
	#  radrelay.  When the home server comes back up, radrelay
595
	#  will read the detail file, and send the packets to the
596
	#  home server.
597
	#
598
	#  With this configuration, the server always responds to
599
	#  Accounting-Requests from the NAS, but only writes
600
	#  accounting packets to disk if the home server is down.
601
	#
602
#	Post-Proxy-Type Fail {
603
#			detail
604
#	}
605
}
share/radius.ldif
1
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
2
# CRC32 f395ae99
3
dn: cn=radius,cn=schema,cn=config
4
objectClass: olcSchemaConfig
5
cn: radius
6
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' D
7
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
8
 GLE-VALUE )
9
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' D
10
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN
11
 GLE-VALUE )
12
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess'
13
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
14
 INGLE-VALUE )
15
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC
16
  'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
17
 .115.121.1.26 SINGLE-VALUE )
18
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DES
19
 C 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
20
 466.115.121.1.26 SINGLE-VALUE )
21
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber'
22
  DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
23
 .1.4.1.1466.115.121.1.26 SINGLE-VALUE )
24
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId
25
 ' DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.
26
 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
27
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI
28
 d' DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 
29
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
30
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC 're
31
 plyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
32
 .1.26 )
33
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres
34
 s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
35
  SINGLE-VALUE )
36
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC
37
  'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466
38
 .115.121.1.26 )
39
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTa
40
 lkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match
41
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
42
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTa
43
 lkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA
44
 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
45
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTa
46
 lkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match
47
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
48
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompres
49
 sion' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNT
50
 AX 1.3.6.1.4.1.1466.115.121.1.26 )
51
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddre
52
 ss' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX 
53
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
54
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetma
55
 sk' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX 
56
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
57
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetw
58
 ork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreIA5Match SYNTA
59
 X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
60
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE
61
 SC 'replyItem: Framed-MTU' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
62
 466.115.121.1.26 SINGLE-VALUE )
63
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco
64
 l' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreIA5Match SYNTAX 1.3
65
 .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
66
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' 
67
 DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
68
 .1.1466.115.121.1.26 )
69
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting
70
 ' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
71
 .1.4.1.1466.115.121.1.26 SINGLE-VALUE )
72
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE
73
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
74
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC ''
75
  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
76
 LUE )
77
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName
78
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
79
 )
80
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' 
81
 DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
82
 .1.1466.115.121.1.26 SINGLE-VALUE )
83
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' 
84
 DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.
85
 4.1.1466.115.121.1.26 )
86
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup
87
 ' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.
88
 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
89
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode'
90
  DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
91
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
92
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort'
93
  DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
94
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
95
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATServi
96
 ce' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreIA5Match SYNTAX 
97
 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
98
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService'
99
  DESC 'replyItem: Login-Service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1
100
 .4.1.1466.115.121.1.26 SINGLE-VALUE )
101
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort'
102
  DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.
103
 1.4.1.1466.115.121.1.26 SINGLE-VALUE )
104
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry
105
 ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
106
 SINGLE-VALUE )
107
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE
108
 SC 'replyItem: Port-Limit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1
109
 466.115.121.1.26 SINGLE-VALUE )
110
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE
111
 SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
112
 SINGLE-VALUE )
113
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC 
114
 '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
115
 VALUE )
116
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm'
117
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
118
 INGLE-VALUE )
119
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe
120
 alm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
121
 26 SINGLE-VALUE )
122
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC '
123
 ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V
124
 ALUE )
125
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' 
126
 DESC 'replyItem: Service-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
127
 .1.1466.115.121.1.26 SINGLE-VALUE )
128
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou
129
 t' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3
130
 .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
131
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAc
132
 tion' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreIA5Match SYNT
133
 AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
134
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignm
135
 entId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.
136
 1.26 )
137
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumT
138
 ype' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
139
 26 )
140
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPasswor
141
 d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
142
  SINGLE-VALUE )
143
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPrefere
144
 nce' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
145
 26 )
146
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivate
147
 GroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
148
 1.1.26 )
149
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE
150
 ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
151
 1.1.26 )
152
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D
153
 ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
154
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' 
155
 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
156
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE
157
 ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12
158
 1.1.26 )
159
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousU
160
 se' DESC 'checkItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
161
  SINGLE-VALUE )
162
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DE
163
 SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING
164
 LE-VALUE )
165
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory'
166
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
167
 INGLE-VALUE )
168
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName
169
 ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
170
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC 
171
 '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
172
 VALUE )
173
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D
174
 ESC 'checkItem: Expiration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.
175
 1466.115.121.1.26 SINGLE-VALUE )
176
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE
177
 SC 'checkItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14
178
 66.115.121.1.26 )
179
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE
180
 SC 'replyItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14
181
 66.115.121.1.26 )
182
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress'
183
  DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S
184
 INGLE-VALUE )
185
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage'
186
  DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1
187
 .4.1.1466.115.121.1.26 )
188
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC ''
189
  SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ 
190
 radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu
191
 mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu
192
 sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame
193
 dAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ r
194
 adiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ rad
195
 iusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ r
196
 adiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupNam
197
 e $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGr
198
 oup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ rad
199
 iusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetr
200
 y $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ rad
201
 iusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStri
202
 pUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusPr
203
 ofileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMe
204
 diumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPriv
205
 ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate
206
 gory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ r
207
 adiusReplyMessage ) )
208
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' D
209
 ESC 'A Container Objectclass to be used for creating radius profile object'
210
  SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) )
u-auth.install
1
debian/u-auth-manage       /usr/bin
2
debian/settings.py         /etc/u-auth
3
debian/debian_config.py    /usr/lib/u-auth
4
debian/schema              /usr/lib/u-auth
1
debian/u-auth-manage             /usr/bin
2
debian/lib/u-auth                /usr/lib/u-auth/
3
debian/lib/setup-radius          /usr/lib/u-auth/
4
debian/lib/setup-slapd           /usr/lib/u-auth/
5
debian/lib/reset-slapd           /usr/lib/u-auth/
6
debian/share/config.ldif         /usr/share/u-auth
7
debian/share/radius-default.conf /usr/share/u-auth
8
debian/share/radius.ldif         /usr/share/u-auth
9
debian/settings.py               /etc/u-auth
10
debian/debian_config.py          /usr/lib/u-auth
u-auth.postinst
29 29
        chown root:$GROUP $SECRET_FILE
30 30
        chmod 0440 $SECRET_FILE
31 31
    fi
32

  
33
    /usr/lib/u-auth setup-slapd
34
    /usr/lib/u-auth setup-radius
32 35
  ;;
33 36

  
34 37
  abort-upgrade|abort-remove|abort-deconfigure)
......
42 45

  
43 46
#DEBHELPER#
44 47

  
45
exit 0
48
exit 0

Also available in: Unified diff